<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<title>PF: 列表与宏</title>
<link rev="made" href="mailto:www@openbsd.org">
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="resource-type" content="document">
<meta name="description"   content="the OpenBSD FAQ page">
<meta name="keywords"      content="openbsd,faq,pf">
<meta name="distribution"  content="global">
</head>

<!--
Copyright (c) 2003, Nick Holland <nick@openbsd.org>
Copyright (c) 2003, 2004, Joel Knight <enabled@myrealbox.com>

Permission to use, copy, modify, and distribute this documentation for
any purpose with or without fee is hereby granted, provided that the
above copyright notice and this permission notice appear in all copies.

THE DOCUMENTATION IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL
WARRANTIES WITH REGARD TO THIS DOCUMENTATION INCLUDING ALL IMPLIED
WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE
AUTHOR BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL
DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR
PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER
TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
PERFORMANCE OF THIS DOCUMENTATION
-->

<body bgcolor="#ffffff" text="#000000">
<!-- Passes validator.w3.org, please keep it this way;
please, use a max of 72 chars per line -->

<a href="../../../zh/index.html">
<img alt="[OpenBSD]" height=30 width=141
    src="../../../images/smalltitle.gif" border="0">
</a>
<p>
[<a href="config.html">上页: 起步</a>]
[<a href="index.html">索引</a>]
[<a href="tables.html">下页: 表</a>]

<h1><font color="#e00000">PF: 列表与宏</font></h1>
<hr>

<h3>目录</h3>
<ul>
<li><a href="#lists">列表</a>
<li><a href="#macros">宏</a>
</ul>

<hr>

<a name="lists"></a>
<h2>列表</h2>
列表允许在一个规则中指定多个相似的条件。例如多个协议，端口，地址等。
所以，你可以在一条规则中用列表指定 IP，而不是为每个 IP 写一条过滤器规则。
指定条目的列表在花括弧 <tt>{ }</tt> 中定义。

<p>
在
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=pfctl&amp;sektion=8&amp;manpath=OpenBSD+4.3"
>pfctl(8)</a> 加载规则时，遇到列表后会为每个条目创建一个规则。例如:
<blockquote>
<tt>
block out on fxp0 from { 192.168.0.1, 10.5.32.6 } to any
</tt>
</blockquote>

<p>
会扩展为:
<blockquote>
<tt>
block out on fxp0 from 192.168.0.1 to any<br>
block out on fxp0 from 10.5.32.6 to any
</tt>
</blockquote>

<p>
可以在规则中使用多个列表，而且不局限于过滤器规则:
<blockquote>
<tt>
rdr on fxp0 proto tcp from any to any port { 22 80 } -&gt; \<br>
&nbsp;&nbsp;&nbsp;192.168.0.6<br>
block out on fxp0 proto { tcp udp } from { 192.168.0.1, \<br>
&nbsp;&nbsp;&nbsp;10.5.32.6 } to any port { ssh telnet }
</tt>
</blockquote>

<p>
注意在列表条目之间的逗号是可选的。

<p>
列表可以嵌套:

<blockquote>
<tt>
trusted = "{ 192.168.1.2 192.168.5.36 }"<br>
pass in inet proto tcp from { 10.10.0.0/24 $trusted } to port 22
</tt>
</blockquote>

<p>
构造如下的“否定列表”时要小心，它是一个常见错误:
<blockquote>
<tt>
pass in on fxp0 from { 10.0.0.0/8, !10.1.2.3 }
</tt>
</blockquote>

<p>
通常的意图是匹配“网段 10.0.0.0/8 中除了 10.1.2.3 的全部地址"，但是这个规则会扩展为:
<blockquote>
<tt>
pass in on fxp0 from 10.0.0.0/8<br>
pass in on fxp0 from !10.1.2.3
</tt>
</blockquote>

<p>
它匹配了任意可能的地址。此处应该使用<a href="tables.html">表</a>。

<a name="macros"></a>
<h2>宏</h2>
宏是用户定义的变量，可以保存 IP，端口，接口名称等。
宏能减少 PF 规则的复杂性，也使维护规则更容易。

<p>
宏的名称以字母开始，可以包含字母，数字和下划线。
宏的名称不能是保留字，例如 <tt>pass</tt>，<tt>out</tt> 或 <tt>queue</tt>。

<blockquote>
<tt>
ext_if = "fxp0"<br>
<br>
block in on $ext_if from any to any<br>
</tt>
</blockquote>

<p>
它创建了名称为 <tt>ext_if</tt> 的宏。
在创建宏之后，引用的时候它的名称前要增加字符 <tt>$</tt>。

<p>
宏也可以用来展开列表，例如:
<blockquote>
<tt>
friends = "{ 192.168.1.1, 10.0.2.5, 192.168.43.53 }"
</tt>
</blockquote>

<p>
宏可以递归定义。由于在引号中的宏不能展开，必须使用下述语法:
<blockquote>
<tt>
host1      = "192.168.1.1"<br>
host2      = "192.168.1.2"<br>
all_hosts  = "{" $host1 $host2 "}"<br>
</tt>
</blockquote>

<p>
现在宏 <tt>$all_hosts</tt> 展开为 192.168.1.1，192.168.1.2。

<p>

[<a href="config.html">上页: 起步</a>]
[<a href="index.html">索引</a>]
[<a href="tables.html">下页: 表</a>]

<p>
<hr>
<a href="index.html"><img height="24" width="24"
    src="../../../images/back.gif" border="0" alt="[back]"></a>
<a href="mailto:www@openbsd.org">www@openbsd.org</a>
<br>
<small>$OpenBSD: macros.html,v 1.22 2008/07/27 17:13:47 nick Exp $</small>

</body>
</html>
<!--
Originally [OpenBSD: macros.html,v 1.22]<br>
$Translation: macros.html,v 1.4 2008/08/05 04:10:02 dongsheng Exp $<br>
-->
